QNAP fixed four vulnerabilities shown at Pwn2Own 2025 that could enable code execution, data access, or system disruption.
Taiwanese vendor QNAP has addressed multiple vulnerabilities, including four SD-WAN router issues (CVE-2025-62843 to CVE-2025-62846) demonstrated at the Pwn2Own Ireland 2025 by Team DDOS. The team chained multiple bugs in QNAP devices to gain root access and earned a $100,000 reward.
The flaws could allow attackers to access sensitive data, execute code, or disrupt system operations if left unpatched.
The manufacturer addressed the four vulnerabilities in QuRouter version 2.6.3.009.
The vulnerabilities identified in QHora devices highlight how different levels of access can translate into significant security risks for an organization’s infrastructure. Below are the descriptions of the flaws:
CVE-2025-62843 involves an issue with communication channel restrictions. If an attacker gains physical access to the device, they can exploit this flaw to obtain privileges intended for other endpoints, effectively bypassing existing controls.
CVE-2025-62844 affects the local network level. In this case, an attacker with LAN access can take advantage of weak authentication mechanisms to retrieve sensitive information, exposing data that should remain protected.
More critical is CVE-2025-62846, which comes into play when an attacker gains administrative credentials. By exploiting an SQL injection vulnerability, they can execute unauthorized commands, compromising the integrity and control of the system.
Finally, CVE-2025-62845 relates to improper handling of escape and control sequences. An attacker with elevated privileges can trigger unexpected system behavior, potentially impacting stability and security.
Overall, these vulnerabilities show how a combination of physical access, network exposure, and elevated privileges can amplify risk, making timely patching and strong security practices essential.
In November 2025, the Taiwanese vendor patched seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025. The flaws affected QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.
The vulnerabilities addressed by the company were:
- CVE-2025-62847 – CVE-2025-62848 – CVE-2025-62849 in QNAP’s QTS and QuTS hero operating systems;
- CVE-2025-11837 in Malware Remover;
- CVE-2025-59389 in Hyper Data Protector;
- CVE-2025-62840 – CVE-2025-62842 in HBS 3 Hybrid Backup Sync software.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, QNAP)
